Malware found scattered by cyber espionage attacks

Researchers following a cyberespionage campaign apparently bent on stealing drone-related technology secrets have found additional malware related to the targeted attacks.

FireEye researchers have been tracking so-called "Operation Beebus" for months, but only last week reported the connection to unmanned aircraft often used in spying. Drones have also been used by the Obama administration to assassinate leaders of the Al-Qaeda terrorist group.

Malware linked to spying

FireEye researcher James Bennett, who was the first to make the drone connection, said last week that he has found two new malware associated with the attack, bringing the total to four.

The first two were versions of the same malware called Mutter. The new malware includes one that uses the same custom encryption scheme, but a different command-and-control protocol. The fourth malware is completely different from Mutter, but uses the same C&C infrastructure.

Bennett has yet to fully analyze the new malware, which he hopes will provide "more threads to follow."

Bennett reported in a blog last week that he had uncovered evidence of cyberattacks against a dozen organizations in the U.S. and India. The attacks against academia, government agencies, and the aerospace, defense and telecommunication industries targeted individuals knowledgeable in drone technology.

The spear-phishing campaign included sending email that contained decoy documents meant to trick recipients into clicking on the file, which would download the malware. One such document was an article about Pakistan's unmanned aerial vehicle industry written by Aditi Malhotra, an Indian writer and associate fellow at the Centre for Land Warfare Studies in New Delhi.

How it worked

Once downloaded, the Mutter malware opened a backdoor to the infected systems in order to receive instructions from C&C servers and to send stolen information. To avoid detection, Mutter is capable of remaining dormant for long periods of time, so that it will eventually be categorized as benign by malware analysis systems.

Despite the exposure, Operation Beebus is still active, although its infrastructure has changed. All but one of the domain names studied by Bennett is no longer in use, but several IP addresses are still active, probably being used with other domains.

"We are still seeing active communications going out with this Mutter malware, so we do know that it's still going," Bennett said.

One in five data breaches are the result of cyberespionage campaigns, according to the latest study by Verizon. More than 95 percent of cases originated from China, with targets showing an almost fifty-fifty split between large and small organizations.